The system used advanced techniques such as JavaScript injection, one-time password interception, and WebView automation to evade notifications, automate subscriptions, track scams, and exfiltrate data. Deployed in Malaysia, Romania, Thailand, and Croatia, the malware read victims’ SIM cards and activated only for specific operators. Zimperium first detected the scam in March 2025 and tracked it until at least January 2026. Affected users can check Zimperium’s GitHub repository for indicators of compromise. It is still unclear how the infected applications found their victims.
However, Google insists that none of the 250 of them are available on its app store, according to Dark Reading. A Google spokesperson added: “Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services.” Despite these claims, experts say the attack is indicative of wide-ranging security issues in the market. In an attack last year, hackers turned 150 Google Chrome extensions into viruses, infecting more than 4.3 million browsers. And while Android users can take steps to protect their security, attacks like those discovered by Zimperium require a complete overhaul of the application security framework.
Three malware variants, one result
Ridvan_celik/Getty Images
Hackers used three malware variants to attack users. The first deployed an “automated subscription engine” to enroll victims into premium subscriptions without their knowledge. The most sophisticated of the three, the downloaded malware reads the device’s SIM card to attack hard-coded carriers such as Malaysia’s DiGi. To avoid detection, the applications displayed harmless web pages if the victim was not part of the specified operator networks. However, if victims were part of a hardcoded billing network, the malware deployed a “clever social engineering tactic” to trick users into thinking they were authenticating a gaming account.
The app then abused Google’s SMS retriever API to intercept passwords before deploying JavaScript commands to hidden web pages to subscribe to premium content through the carrier’s billing portal. A second variant targeted users in Thailand via premium SMS messages that subscribed them to premium services. Using a multi-step system to avoid detection, the malware was identified by Zimperium as showing users seemingly legitimate web pages while “the malware secretly loads hidden WebViews in the background to access additional carrier billing portals.”
According to Zimperium, the attackers deploying this malware variant also used an “advanced cookie-stealing technique” to “maintain authenticated sessions with the carrier’s billing system.” A third version of the system “combines the SMS fraud capabilities of previous variants with instant notification to attackers via Telegram, giving them real-time visibility into successful infections.” Integrating a Telegram channel highlights the sophistication of attacks, allowing fraudsters to track success metrics and optimize operations.
A targeted program with broad implications
LALAKA/Shutterstock
The program was very specific in its choice of targets. More than half of the victims of scammers used Malaysian SIM cards. Thai and Romanian users each accounted for around 15% of the scam’s attacks, while Croatia accounted for 1% of the operation’s activity. Across these four jurisdictions, at least 10 operators were targeted by the malware. In order of prevalence, the list includes DiGi, Marxis, Celcom, U Mobile, Telekom, AIS, Orange, Vodafone, TrueMove H, and dtac TriNet. Although the campaign was initially detected in March 2025, its activities peaked in September 2025. Unfortunately, although the campaign was last active in January, Zimperium’s report highlights that “portions of the infrastructure remain operational.”
These attacks may be a sign of widespread cybersecurity failures. Manipulating features of legitimate apps, such as Google’s SMS Retriever and Android’s CookieManager API, highlights common security vulnerabilities. AI research engineer Vineeta Sangaraju told Dark Reading that “these are not obscure attack surfaces, they are documented and widely used platform features, and the controls governing their use have not kept pace with their potential for abuse.” The campaign also reflects the difficulty of controlling app downloads, especially when users use third-party marketplaces.
However, infected apps and browser extensions still permeate legitimate stores. In April 2026, for example, cybersecurity researchers at Socket discovered more than 100 Google Chrome extensions that exfiltrated users’ browsing data. Although users should be vigilant when downloading new programs, the persistence of these problems suggests that companies need to reinvent their approach to market security.
